Thursday, 18 July 2013

Oracle APEX - JQuery UI XSS Bug

JQuery UI is a brilliant library included in APEX that can help developers with both the functionality and the aesthetics of their applications. However, it is not without its bugs. There is a known bug in JQuery UI (#6016) that causes a cross site scripting vulnerability in applications that include modal dialogs with dynamic titles.

Here is a simple example of a Cross Site Scripting (XSS) attack that exploits this bug in the code from our previous blog post:

Although this bug has been fixed in JQuery UI v.1.8.4, APEX 4.2.2 ships with version 1.8.22, so in terms of developing secure applications with APEX, this is still an issue that must be addressed in order to ensure your applications are secure.

The issue is that the Jquery dialog box does not HTML escape the data before rendering it in the title, therefore this must be done manually by the developer. To fix the issue you can add the following line to your JavaScript function:

title=
$('<div/>').text(title).html().replace('"','&quot;');

The text() function in JQuery HTML escapes anything within it apart from single and double quotes, so for added safety we included double quotes by adding “.html().replace('"','&quot;')”

This and other security issues are regularly found in our code reviews for our high security installs.